As members of the Fusion Middleware Architecture Group (a.k.a the A-Team), we get exposed to a wide range of challenging technical issues around security and Oracle Fusion Middleware. We're using this blog to answer common questions and provide interesting solutions to the real-world scenarios that our customers encounter every day.
NOTICE: All our post and much more can now be found at http://www.ateam-oracle.com/category/identity-management/

Tuesday, April 24, 2012

Here is a post that integrates OAM 11g with IPM. This integration is implemented on top of the OAM/UCM integration I did back in December.

Prerequisites

Install, configure and integrate UCM with OAM. Click here for the post I did for OAM/UCM.

Install and configure IPM with the same OHS proxy used to proxy the UCM application.

High Level Steps/Checklist

Configure an OHS server to proxy all request to IPM (/imaging).

Register a webgate with the URL’s you want to protect.

Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic.

Validate users can access IPM with WLS Security.

Install a webgate on OHS server and validate.

Notes:

Steps 2 through 4 may have been completed in the steps defined in the OAM-UCM integration.

Verifying the ‘/imaging’ URL may result in a “404 Not Found” error. This will occur if you have a webgate on the OHS server already installed and have not defined a policy to protect this URI. This is expected due to the webgate setting of ‘denyOnNotProtected’.

The rreg tool can be found and
executed on the same box where OAM is installed. No need to
un-tar.

Created a new IPM-Request.xml.
Since the same OHS server used to proxy UCM, is being used to
forward/proxy the IPM app, use the same host identifier and agent
name as defined for UCM. The only difference being the protected
and public resources.

When
asked to enter the admin and password, make sure the user is part of
the system store you configured for OAM (e.g testuser1/welcome1)

NOTE:
Make sure you copy the new artifacts from the RREG output directory
to the OHS webgate directory (i.e.
.../Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config)
and restart the OHS server.

Steps 4 and 5 from Section 2.3.5 was already completed during the UCM/OAM setup.

Trouble shooting tips:

Cannot login via OAM – A few
things to verify:

Make sure that the LDAP
Authentication Module in the OAM console is pointing to the correct
data store.

Make sure that the WLS provider
matches the same OAM data store configuration.

Monday, April 23, 2012

GTC based connector is one of the most used approaches for reconciling data into OIM, specially through the use of flat files. A common issue is that some customers do not allow direct communication between OIM and the HR system (for different reasons like outsourced HR system, security constraints and others), hence a flat file is made available to OIM so that it reconcile users.

Very often, there is a need to manipulate the data to be reconciled in OIM through the GTC connector. When that is true, most of customers end up creating event handlers to manipulate reconciled data. The problem with this approach is that in OIM 11g, only 'post process' event handlers can be used to manipulate reconciliation data (and the data can only be manipulated after reconciled into OIM), and this can make some manipulations really tricky and/or cumbersome.

Wednesday, April 18, 2012

One of my mottos is "why do something by hand if you can automate it in twice the time?"

So a while back I put together a bunch of scripts to do just that. They've been handed around by a few people and Warren Strange eventually had the sensible idea to put them up on GitHub along with some other useful stuff.

I can only take credit for the "installscripts" directory there, but thought I'd at least put a pointer here to the main project.

Tuesday, April 17, 2012

The capability to retrieve and set HTTP headers in BPEL was recently added to Oracle SOA Suite 11g. Edwin Biemond has written an excellent blog post on how to use this capability.

From a security/IDM perspective, I think this feature opens up the ability to create some interesting solutions whereby identity information is added to HTTP headers by OAM (or other SSO products) in the web tier and consumed by services in the app tier. It also makes it possible to pass identity data between services in HTTP headers and thereby ignore having to modify web service requests themselves.

I’ll only add as a warning to remember that end users have the capability to add whatever HTTP headers they want to the requests they make. So, solutions should be developed with this in mind. In particular, if you are going to create a solution that depends on BPEL consuming an HTTP header created by an OAM response, you need to take steps to either ensure that this header really came from OAM (by signing or encrypting it) or take steps to ensure that all requests to BPEL really did originate by coming through the web tier with OAM.

Tuesday, April 3, 2012

In a previous post I talked a little about protecting only a part of an application with OAM. I included this bit of text describing the use case:

But what if you want to let users access part of the app anonymously, but require them to log in to access some of the apps features? I don't know what anyone else calls this sort of flow, but I call it the shopping cart model (browse around tossing stuff in your card, then sign in to check out).

That post talked about how to support the "shopping cart" login model with OAM if you're using ADF, but what if you're trying to accomplish that with plain old HTML or something else?